x509: certificate signed by unknown authority (set insecure registries)
Kubernetes cluster를 구성하다
kubeadm init을 통해 cluster를 구성하다보면 아래와 같은 오류를 받을 수 있다.
[오류]
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-apiserver:v1.22.3: output: Error response from daemon: Get "https://k8s.gcr.io/v2/": x509: certificate signed by unknown authority
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-controller-manager:v1.22.3: output: Error response from daemon: Get "https://k8s.gcr.io/v2/": x509: certificate signed by unknown authority
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-scheduler:v1.22.3: output: Error response from daemon: Get "https://k8s.gcr.io/v2/": x509: certificate signed by unknown authority
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-proxy:v1.22.3: output: Error response from daemon: Get "https://k8s.gcr.io/v2/": x509: certificate signed by unknown authority
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/pause:3.5: output: Error response from daemon: Get "https://k8s.gcr.io/v2/": x509: certificate signed by unknown authority
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/etcd:3.5.0-0: output: Error response from daemon: Get "https://k8s.gcr.io/v2/": x509: certificate signed by unknown authority
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/coredns/coredns:v1.8.4: output: Error response from daemon: Get "https://k8s.gcr.io/v2/": x509: certificate signed by unknown authority
, error: exit status 1
[preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...`
To see the stack trace of this error execute with --v=5 or higher[오류내용]
컨테이너 이미지를 가져오기(pull)위해서 통신은 연결되었으나, 인증서가 알수없는 작성자에 의해서 서명되었다.
그래서 이미지를 믿을수 없으므로 가져올 수 없다.
[원인확인]
k8s.gcr.io 의 인증서를 유효한 인증서로 간주하지 않아서 나오는 현상이다.
[조치방법]
3가지의 조치방법이 있을수 있다.
방법1) 인증서 최신 업데이트
업데이트 시도 : yum update ca-certificates
방법2) 인증서를 다운받아서 서버에 등록
(Docker방식) openssl s_client -showcerts -connect k8s.gcr.io:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/k8s.gcr.io/ca.crt
방법3) https://k8s.gcr.io 를 믿을수 있는 영역으로 등록
(Docker 방식)
/etc/docker/daemon.json 파일에 아래 내용을 작성
{ "insecure-registries" : ["https://k8s.gcr.io"] }
도커 데몬 재시작 : systemctl restart docker
(CRI-O 방식)
/etc/crio/crio.conf
[crio.image]
Insecure_registries = [
"k8s.gcr.io"
]
등록
참고자료 : https://docs.openshift.com/container-platform/3.11/crio/crio_runtime.html
Using the CRI-O Container Engine | CRI-O Runtime | OpenShift Container Platform 3.11
The CRI-O container engine provides a stable, more secure, and performant platform for running Open Container Initiative (OCI) compatible runtimes. You can use the CRI-O container engine to launch containers and pods by engaging OCI-compliant runtimes like
docs.openshift.com